0 évaluation0% ont trouvé ce document utile (0 vote)
21 vues9 pages
SecurEnvoy provides two-factor authentication for remote Access solutions. It integrates directly into Microsoft's Active Directory and negates the need for additional User Security databases. It provides a seemless login into the Windows 2008R2 Remote Desktop environment by entering three pieces of information.
SecurEnvoy provides two-factor authentication for remote Access solutions. It integrates directly into Microsoft's Active Directory and negates the need for additional User Security databases. It provides a seemless login into the Windows 2008R2 Remote Desktop environment by entering three pieces of information.
SecurEnvoy provides two-factor authentication for remote Access solutions. It integrates directly into Microsoft's Active Directory and negates the need for additional User Security databases. It provides a seemless login into the Windows 2008R2 Remote Desktop environment by entering three pieces of information.
External Authentication with Windows 2008R2 Server
with Remote Desktop Web Gateway
Authenticating Users Using SecurAccess Server by SecurEnvoy
Contact information SecurEnvoy www.securenvoy.com 0845 2600010 1210 Parkvi ew Arl i ngton Busi ness Park Theal e Readi ng RG7 4TY
Andy Kemshal l akemshal l @securenvoy.com
2005 Sec urEnvoy Ltd. All rights reserved Page 2
Windows 2008R2 Server with Remote Desktop Web Gateway Integration Guide
This document describes how to integrate a Windows 2008 R2 Remote Desktop Web (RDWeb) Gateway installed with SecurEnvoy two-factor Authentication solution called SecurAccess. Microsoft Windows 2008R2 Remote Desktop provides Web based Secure Application Access to the internal corporate network. Connections to Remote Desktop must be made from a browser and not directly from a terminal server client.
SecurAccess provides two-factor, strong authentication for remote Access solutions (such as Microsoft), without the complication of deploying hardware tokens or smartcards. Two-Factor authentication is provided by the use of (your PIN and your Phone to receive the one time passcode)
SecurAccess is designed as an easy to deploy and use technology. It integrates directly into Microsofts Active Directory and negates the need for additional User Security databases. SecurAccess authentication server is directly integrated with LDAP or Active Directory in real time.
SecurEnvoy Security Server can be configured in such a way that it can use the existing Microsoft password. Utilising the Windows password as the PIN, allows the User to enter their UserID, Windows password and One Time Passcode received upon their mobile phone. This authentication request is passed via the SecurEnvoy IIS Web Agent via the HTTP protocol (authentication packet is encrypted by AES 128bit) to the SecurEnvoy server where it carries out a Two-Factor authentication. It provides a seemless login into the Windows 2008R2 Remote Desktop environment by entering three pieces of information. SecurEnvoy utilises a web GUI for configuration, whereas the Microsoft Windows Server environment uses a GUI application. All notes within this integration guide refer to this type of approach.
The equipment used for the integration process is listed below:
Microsoft Windows Server 2008R2 Installed roles: Remote Desktop Services
SecurEnvoy SecurAccess Server software release v5.2.501 IIS Web Agent V5.3.501 Note This document relates only to RDWeb access. If you want to authenticate Remote Desktop Client connections as well you will need to install Windows Login Agent on the Terminal Server hosts instead of this solution: see http://www.securenvoy.com/integrationguides/Windows%20Login%20Agent.pdf Note You must use IIS Agent version 5.3.501 or higher You must use Security Server version 5.2.500 or higher
2005 Sec urEnvoy Ltd. All rights reserved Page 3
Contents
1.0 Pre Requisites .......................................................................... 3 2.0 Configuration of Remote Desktop Gateway Server ......................... 3 2.1 Configure IIS to protect Rpc and RDWeb...................................... 3 2.2 RemoteApp Manager Configuration ............................................. 6 2.3 Setting Up Single Sign-On .......................................................... 7 3.0 Configuration of SecurEnvoy Server ............................................. 7 4.0 Test Logon .............................................................................. 8
1.0 Pre Requisites
It is assumed that Remote Desktop Services has been installed upon the relevant server(s). An existing Domain user can authenticate using a windows user name and domain password and access applications. All communications are over HTTPS (port 443) for client browser to /RDWeb.
2.0 Configuration of Remote Desktop Gateway Server
2.1 Configure IIS to protect Rpc and RDWeb
a. Install SecurEnvoy IIS Web Agent v5.2.501 or higher on the remote desktop gateway server that hosts the IIS virtual directory RDWeb b. Start IIS Manager c. Select Default web site under connections pane. d. Select the SecurEnvoy Icon
Note You must use SecurEnvoy IIS Agent version 5.3.501 or higher You must use SecurEnvoy Security Server version 5.2.500 or higher
2005 Sec urEnvoy Ltd. All rights reserved Page 4
e. Select Enable Authentication On Default Web Site.
f. Apply changes g. Select Rpc under Default Web Site h. Select the SecurEnvoy Icon i. Select the check box Enable Authentication On /Rpc
2005 Sec urEnvoy Ltd. All rights reserved Page 5
j. Cancel IIS Restart k. Select RDWeb under Default Web Site l. Select the SecurEnvoy Icon m. Select the check box Enable Authentication On /RDWeb n. Apply and Restart IIS o. Navigate back to Default Web Site > RDWeb and select the Authentication icon p. Disable Basic Authentication q. Make sure that only Anonymous Authentication is Enabled
r. Check SecurEnvoyAuth is a member of the application pool RDWebAcess thi s shoul d be the case i f you protected RDWeb l ast Note SecurEnvoyAuth MUST be a member of the RDWebAccess Application Pool
2005 Sec urEnvoy Ltd. All rights reserved Page 6
In the Navigation pane, select top level host name (the 2 nd line down). Scroll down the centre panel and press the SecurEnvoy Two Factor icon. Setup your required inactivity timeout. Add the logout URL logoff.aspx (enter logoff.aspx right of the Add button and press Add) Restart IIS when prompted.
2.2 RemoteApp Manager Configuration
a. Click Start > Administrative Tools >Remote Desktop Services >RemoteApp Manager. b. In the Overview pane of RemoteApp Manager, next to RDP Settings, click Change. c. On the Custom RDP Settings tab, type or copy the following RDP settings into the Custom RDP settings box:
pre-authentication server address: s: https://<hostname>/rdweb require pre-authentication:i:1
Note: <hostname> should be replaced with the external name of the RDWeb server (i.e. The name that the browser will use).
2005 Sec urEnvoy Ltd. All rights reserved Page 7
e. When you have finished adding the settings, click Apply 2.3 Setting Up Single Sign-On
Change directory to C:\Program Files (x86)\SecurEnvoy\Microsoft IIS Agent\SAMPLES\RemoteDesktop2008R2
Copy passcodeok.htm, auth.htm and accessdenied.htm ..\..\WEBAUTHTEMPLATE\
3 Configuration of SecurEnvoy Server For single-signon to work the SecurEnvoy server must be configured to use LDAP password as the PIN (This is the default)
Launch the SecurEnvoy admin interface, by executing the Local Security Server Administration link on the SecurEnvoy Security Server.
Click Config
Select LDAP Password is the PIN under PIN Management (This is the default setting)
Click Update to confirm the changes
2005 Sec urEnvoy Ltd. All rights reserved Page 8
4.0 Test Logon Open a browser and navigate to https://machine.domain.com/RDWeb
Enter Domain Username in the UserID field Enter Domain Password in the Password field. Enter SMS passcode (received upon mobile phone) in the Passcode field Select your Security Option Click Send Once logged on will be single signed onto the RDWeb access page
2005 Sec urEnvoy Ltd. All rights reserved Page 9
Note You will be prompted for a domain login when you access any application.